FISMA requires federal agencies to protect IT systems and data. How often should compliance be
audited by an external organization?

A.
Annually

B.
Quarterly

C.
Every three years

D.
Never

Explanation:

Inspection of FISMA is required to be done annually. Each year, agencies must have an
independent evaluation of their program. The objective is to determine the effectiveness of the
program. These evaluations include:
Testing for effectiveness: Policies, procedures, and practices are to be tested. This evaluation
does not test every policy, procedure, and practice. Instead, a representative sample is tested.
An assessment or report: This report identifies the agency’s compliance as well as lists
compliance with FISMA. It also lists compliance with other standards and guidelines.
annually, not quarterly or every three year.